"We need keep PAN call recordings!" Really?
As I've discussed before, I often hear call center executives tell me that they retain the PAN in call recordings. One point which they claim makes it acceptable or sensible is:
need to keep the PAN in our call recordings, because of [some requirement]
What is that reason?
it useful to you in any way at all? You may think it is, and I've heard several
answers to this question. Let's list them, and my responses.
"I use it for refunds."
OK, so if you need to give a customer a refund, you take a minimum of 5-10 minutes to locate the exact recording on which the customer made the purchase (how are you planning to find that exact call?), you then listen to the call in order to find the point at which the card number is spoken to the agent, and issue a refund based on that number?
I'll be blunt: that is madness.
You need a process for issuing refunds which doesn't require reference to the call recording.
"I use it for internal fraud detection."
"I work in an industry where law enforcement or regulated financial services officers require the full card number for investigating crime or fraud."
I appreciate this argument, honestly. As much as the PCI and anti-fraud community wants to rid card data from as many places as possible, we have to understand that there are many organizations like police forces who feel comfortable (or require) handling real card data. (And remember that the law always trumps PCI DSS.)
So the question here becomes: How does a merchant limit both their PCI scope and fraud risk, while complying with legal requirements?
The answer is tokenization
tokenization. Whatever you're into.)
If you tokenize card data, and only store it tokenized, then you can implement a process whereby authorized staff members can switch a token back into the PAN. This can then be passed on to fraud/crime investigators. You don't need to store the PAN in the call recording (or anywhere else).
In general, actually, the answer to many (all?) of the above concerns is tokenization.
Settlement, chargebacks, adjustments and refunds are also then handled using the token.
"But implementing tokenization is really difficult."
Well, that's probably correct if you are picturing a traditional approach where you have to change your payment processes entirely and spend capex to implement tokenization. But there are certainly (way) easier approaches. (This is not a sales piece.)
So I see no good reason why you 'need' to keep PANs in call recordings.
am I wrong? Are there in fact good reasons you NEED to keep PANs, which I
haven't understood properly?
Please do let me know in the comments - I am keen to learn.
While some travel agents will be dreading the arrival of new card payment rules…
Imagine getting a burglar alarm fitted to your home. The company does a great…